Archive for January 11th, 2008
January 11th, 2008 by Bernadette Irinco (Technical Communications)
TrendLabs researchers have discovered a number of bogus Internal Revenue Service (IRS) Web sites containing links to a host of malicious .EXE files. These bogus Web sites try to appeal to the attention of business managers and accountants to click on the links supposedly pertaining to information on the latest updates on corporate tax laws.
Also, it appears that some of the domains associated with sites hosting these pages may be sitting on Storm botnet fast-flux nodes, so the “back-end” host IP addresses change often. This may be an extension of other phishing and malware activities recently suspected of being hosted in the Storm botnet.
Here’s a screenshot of one of the fake Web sites:
Clicking on any of these links leads users to download files with such names as:
- ALL_TAXPAYERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
- TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
- ESTATE_AND_TRUST_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
- EXCISE_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
- EXEMPT_ORG_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
- FOREIGN_ISSUES_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
- INDIVIDUALS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
- IRA_TREASURY-MANAGERS_IRS_IMPORTANT_NOTICE_SELF-PDF.EXE
According to Senior Threat Analyst Joey Costoya, these are the same files but with different file names, all of which are detected by Trend Micro as BKDR_ASPROX.B.
On the bright side of things, the bogus domains are actively being blocked by Trend Micro products and are no longer accessible to Trend Micro customers.
IRS seems to be a frequent target of malicious users, and we actively engage investigators from the U.S. Treasury Department when these issues arise.
Last November, two separate email runs were found to use the name of the IRS: the first solicited donations for victims of the California wildfire, while the second promised users a tax refund and contained a link that pointed to a phony IRS site, which phished for user’s credentials.
January 11th, 2008 by Paul Oliveria (Technical Communications)
“Dial ‘M’ for malware” sounds like a good phrase to sum this up…
TrendLabs researchers have received reports of what appears to be an attempt of a massive DNS poisoning attack in Mexico. True to the growing complexity of Web threats, the weapons of choice include social engineering, malware download, pharming, and — here’s the clincher — a DSL modem.
Yes, the attack begins with the exploitation of a known vulnerability in 2Wire modems. The said vulnerability allows an attacker to modify the local DNS servers and hosts. One of the main Internet Service Providers in Mexico offers 2Wire modems to their customers, and it is estimated that more than 2 million users are at risk.
According to Trend Micro Engineer Juan Pablo Castro, the said exploit arrives with a newsy email message similar to this one:
The subject and the headline of the article roughly translate to “EU gave 40 years to Mexican Main narco operator of the Tijuana Cartel.”
The said message includes the following exploit code:
Notice that the code is embedded in an “img src” tag. This means that once an unsupecting user opens the email in its full HTML format, the exploit code automatically attempts to access the modem’s Web console and modify the local host database to redirect all requests for banamex.com — the Web site of one of the largest banks in Mexico — to a fraudulent site.
Thus, for affected users who wish to access the banking site, even typing banamex.com — which is a legitimate, non-malicious, fully qualified domain name (FQDN) — leads to the fraudulent site. I think we all know how the rest of the story turns out…
Unfortunately, that’s not all. The malicious email message also promises a “video” and includes a link that points to the a malicious URL where the .RAR archive Video_Narco.rar can be downloaded. This archive contains the malicious file Video_Narco.exe, which Trend Micro detects as TROJ_QHOST.FX.
You got to hand it to these criminals: they’re making sure no stone is left unturned, no security hole unexploited… In any case, Trend Micro already blocks all related malicious URLs/IPs with its Web Threat Protection. Even users whose DNS servers may have been poisoned will receive a notification of a possible pharming activity (see image below).
Of course, smart computing practices are still the best policy. As the Web (along with its threats) becomes — like I said — more and more complex, users should arm themselves with all the knowledge and precautions they can get.
Additional information provided by TrendLabs Content Security
January 11th, 2008 by Mayee Corpin (Technical Communications)
A batch of China-made media players sold over the holidays by a Dutch importer was found to carry malware. PCWorld, citing a Kaspersky blog post, identified the malware to be a worm. Trend Micro detects it as PE_FUJACKS.FL-O, a file infector that propagates not only via removable drives but also via network shares.
The particular model involved is the 512 MB USB media player called Victory LT-200, which is sold by Victory Nederland. By the first week of January, only three customers have complained about the malware, according to the company’s managing director, Joost Blom, in an interview with PCWorld.
This file infector searches the affected system for files with the following extensions:
These infected files are detected as PE_FUJACKS.EA.
The Victory LT-200 is the latest in a long list of USB media shipped with malware. It can be recalled that October 2006 saw two such incidents, when iPod videos manufactured after September 11 of that year were shipped with WORM_SIWEOL.A and when McDonald’s Japan recalled MP3 player freebies when these were found to be infected by WORM_QQPASS.ADH.
In the same year, satellite navigation devices called TomTom GO 910 shipped between September and November were confirmed to contain two Trojans detected as TROJ_PERLOVGA.A and TROJ_GENERIC. In 2007, another USB infection was seen, this time involving a rootkit detected as RTKT_XCP.B, which is installed along with the Sony MicroVault USM-F fingerprint reader application. This app allows a user to restrict access to files stored in the Sony MicroVault USM-F USB drive through the recognition of user-preset fingerprints.
This latest USB incident again serves as a reminder that new doesn’t always mean safe. Be careful of plug-and-play peripherals that could bring off-the-shelf malware. Lucky for Trend Micro customers, they are now protected from this threat.
